0

After using the chrome debugger to inspect the ajax requests of Facebook (for curiosity), I noticed that the response is in JSON, however it is always prefixed with

for(;;);

In example, if the JSON were {hello:"world"}, then Facebook would respond

for(;;); {hello:"world"}

Does this have any use? I imagine it must have a purpose...

Improve this question
4
  • 4
    to force a crash if it is evaled? Commented Aug 22, 2014 at 14:19
  • 8
    Similar to this question on SO: stackoverflow.com/q/2669690/1102962 Commented Aug 22, 2014 at 14:20
  • I spent a while looking on google and couldn't find any answers... Thanks for sharing the link Commented Aug 22, 2014 at 14:21
  • Oh you got me.. Commented Aug 22, 2014 at 14:46

1 Answer 1

Reset to default
1

The prevention of JSON hijacking is the use case:

Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a <script> tag. The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content.

The empty for statement causes an infinite loop, which blocks the data from being used in a non-AJAX context.

References

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.